Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1667
Views
0
Helpful
5
Replies

Cisco ISE CoA - VLAN Change and IP-Renew

mikey69
Level 1
Level 1

‎08-08-2023 04:18 AM

Hello Wireless Experts,

i am currently setting up a Cisco ISE with a Guest Portal and a Cisco Wireless Controller 5520.

We want to seperate different devices in different VLANs after Authentication. This means, that every device has to get a new IP-Adress in the new VLAN after Authentication.

In the first step, the User connects with the open SSID (VLAN 1600) and receivs DNS & DHCP from the Cisco ISE DHCP & DNS Service which is bond to the Cisco ISE VLAN 1600 interface (10.16.0.11).

For example:

In the first step, the client connects to the SSID and receives the IP-Adress 10.16.0.50 from ISE with DHCP lease time 300s.

After Authentication, the policy set in ISE tells the WLC with a CoA, that this device (10.16.0.50) is now placed in VLAN 1604. In VLAN 1604 the device receives an IP-Adress from another DHCP Server for example 10.16.4.90.

The problem currently is, that most windows devices need about 30 seconds (after these 30 seconds, i noticed in wireshark that windows does a complete DORA process) to get a new IP-Adress in VLAN 1604. Since the CoA is not a RADIUS-Disconnect, it seems that windows does not understand, that he needs to get a new IP.

I also tested this scenario with an android and a ubuntu device - these devices take about 5-6 seconds till they got their new IP in VLAN 1604.

This windows behaviour is currently not satisfactory for our guests.

Is there anything i can do in ISE or WLC to tell the wirless Clients, that they have to get a new IP immediately?

For example a RADIUS-Attribute by ISE to the WLC, that tells the WLC to Disconnect the client - like a RADIUS-Disconnect?

 

I also tried to lower the DHCP-lease time to 15 seconds - android and ubuntu device get along with these short DHCP lease times.

Only (again) windows is making problems with such low lease times. Windows devices renew their lease 3 times (DHCP t1-timer) and then loose their DHCP lease. It then takes around 17 seconds to start the new DORA process - in these 17 seconds windows has no IP-Adress. 

 

Is there any better solution or best practice? Or is this behaviour really only controllable throu endpoint (windows) settings?

i cant belive that we are the only one who seperates different devices in different vlans after authentication within the same SSID.

Labels:
0 Helpful
5 Replies 5

Dustin Anderson
VIP Alumni
VIP Alumni

‎08-08-2023 06:48 AM

unfortunately, the detection of a vlan change and DHCP is up to the client. For laptops we have, they have Intel NICs and what I have seen with pcaps is Intel pings the default gateway and if it fails 3 times will kick off DHCP again. We also have some devices that will not detect a vlan change at all and will sit with the incorrect IP.

0 Helpful

Rich R
VIP
VIP

‎08-13-2023 09:59 AM

How are you "authenticating" those users on an open SSID?

Why not use 802.1x so you authenticate the user FIRST then put them directly into the correct VLAN straight away - no chopping and changing of VLANs?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

mikey69
Level 1
Level 1
In response to Rich R

‎08-14-2023 12:54 AM - edited ‎08-14-2023 12:55 AM

Users in this open SSID are authenticated within the guestportal (e.g. username and password of guestticket / self registration workflow)

There is no technical possibility to authenticate these guest devices befor they receive their IP in the guestportal network, since i dont know them befor they enter our buildings.

0 Helpful

Rich R
VIP
VIP
In response to mikey69

‎08-14-2023 01:51 AM

Then sending a client disconnect is probably your only option to force the IP change.

That also won't be perfect because some clients may be slow to reconnect or might not reconnect at all without user intervention.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

mikey69
Level 1
Level 1
In response to Rich R

‎08-14-2023 02:59 AM

I guess so.

Is there any technical option in ISE to tell ISE to send a RADIUS-Disconnect to the WLC?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card